# Feature Matrix — Stella Ops Suite *(rev 5.0 · 09 Jan 2026)* > **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail. --- ## Product Evolution **Stella Ops Suite** is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate. - **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks - **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates - **OCI-digest-first releases** — Immutable digest-based release identity - **Evidence packets** — Every release decision is cryptographically signed and stored --- ## Pricing Model **Principle:** Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes. | Plan | Price | Environments | New Digests/Day | Deployments | Notes | |------|-------|--------------|-----------------|-------------|-------| | **Free** | $0/month | 3 | 333 | Unlimited (fair use) | Full features | | **Pro** | $699/month | 33 | 3,333 | Unlimited (fair use) | Same features | | **Enterprise** | $1,999/month | Unlimited | Unlimited | Unlimited | Fair use on mirroring/audit bandwidth | **Key Principles:** - All plans include all features (no feature gating) - Limits are environments + new digests analyzed per day - Unlimited deployments with fair use policy --- ## Competitive Moat Features *These differentiators are available across all plans.* | Capability | Free | Pro | Enterprise | Notes | |------------|:----:|:---:|:----------:|-------| | Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator | | Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles | | VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution | | Reachability with Portable Proofs | ✅ | ✅ | ✅ | Three-layer analysis | | Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection | | Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets | | Deterministic Replay | ✅ | ✅ | ✅ | `stella replay srm.yaml` | | Non-Kubernetes First-Class | ✅ | ✅ | ✅ | Docker/Compose/ECS/Nomad targets | | Digest-First Release Identity | ✅ | ✅ | ✅ | Immutable releases | --- ## Release Orchestration (Planned) *Release orchestration capabilities are planned for implementation. All plans will include all features.* | Capability | Free | Pro | Enterprise | Notes | |------------|:----:|:---:|:----------:|-------| | **Environment Management** | | | | | | Environment CRUD | ⏳ | ⏳ | ⏳ | Dev/Stage/Prod definitions | | Freeze Windows | ⏳ | ⏳ | ⏳ | Calendar-based blocking | | Approval Policies | ⏳ | ⏳ | ⏳ | Per-environment rules | | **Release Management** | | | | | | Component Registry | ⏳ | ⏳ | ⏳ | Service → repository mapping | | Release Bundles | ⏳ | ⏳ | ⏳ | Component → digest bundles | | Semantic Versioning | ⏳ | ⏳ | ⏳ | SemVer release versions | | Tag → Digest Resolution | ⏳ | ⏳ | ⏳ | Immutable digest pinning | | **Promotion & Gates** | | | | | | Promotion Workflows | ⏳ | ⏳ | ⏳ | Environment transitions | | Security Gate | ⏳ | ⏳ | ⏳ | Scan verdict evaluation | | Approval Gate | ⏳ | ⏳ | ⏳ | Human sign-off | | Freeze Window Gate | ⏳ | ⏳ | ⏳ | Calendar enforcement | | Policy Gate (OPA/Rego) | ⏳ | ⏳ | ⏳ | Custom rules | | Decision Records | ⏳ | ⏳ | ⏳ | Evidence-linked decisions | | **Deployment Execution** | | | | | | Docker Host Agent | ⏳ | ⏳ | ⏳ | Direct container deployment | | Compose Host Agent | ⏳ | ⏳ | ⏳ | Docker Compose deployment | | SSH Agentless | ⏳ | ⏳ | ⏳ | Linux remote execution | | WinRM Agentless | ⏳ | ⏳ | ⏳ | Windows remote execution | | ECS Agent | ⏳ | ⏳ | ⏳ | AWS ECS deployment | | Nomad Agent | ⏳ | ⏳ | ⏳ | HashiCorp Nomad deployment | | Rollback | ⏳ | ⏳ | ⏳ | Previous version restore | | **Progressive Delivery** | | | | | | A/B Releases | ⏳ | ⏳ | ⏳ | Traffic splitting | | Canary Deployments | ⏳ | ⏳ | ⏳ | Gradual rollout | | Blue-Green | ⏳ | ⏳ | ⏳ | Zero-downtime switch | | Traffic Routing Plugins | ⏳ | ⏳ | ⏳ | Nginx/HAProxy/Traefik/ALB | | **Workflow Engine** | | | | | | DAG Workflow Execution | ⏳ | ⏳ | ⏳ | Directed acyclic graphs | | Step Registry | ⏳ | ⏳ | ⏳ | Built-in + custom steps | | Workflow Templates | ⏳ | ⏳ | ⏳ | Reusable workflows | | Script Steps (Bash/C#) | ⏳ | ⏳ | ⏳ | Custom automation | | **Evidence & Audit** | | | | | | Evidence Packets | ⏳ | ⏳ | ⏳ | Sealed decision bundles | | Version Stickers | ⏳ | ⏳ | ⏳ | On-target deployment records | | Audit Export | ⏳ | ⏳ | ⏳ | Compliance reporting | | **Integrations** | | | | | | GitHub Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks | | GitLab Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks | | Harbor Integration | ⏳ | ⏳ | ⏳ | Registry + scanning | | HashiCorp Vault | ⏳ | ⏳ | ⏳ | Secrets management | | AWS Secrets Manager | ⏳ | ⏳ | ⏳ | Secrets management | | **Plugin System** | | | | | | Plugin Manifest | ⏳ | ⏳ | ⏳ | Static declarations | | Connector Runtime | ⏳ | ⏳ | ⏳ | Dynamic execution | | Step Providers | ⏳ | ⏳ | ⏳ | Custom workflow steps | | Agent Types | ⏳ | ⏳ | ⏳ | Custom deployment targets | --- ## Plan Limits | Limit | Free | Pro | Enterprise | |-------|:----:|:---:|:----------:| | **Environments** | 3 | 33 | Unlimited | | **New Digests/Day** | 333 | 3,333 | Unlimited | | **Deployments** | Fair use | Fair use | Fair use | | **Targets per Environment** | 10 | 100 | Unlimited | | **Agents** | 3 | 33 | Unlimited | | **Integrations** | 5 | 50 | Unlimited | --- ## SBOM & Ingestion | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Trivy-JSON Ingestion | ✅ | ✅ | ✅ | | | SPDX-JSON 3.0.1 Ingestion | ✅ | ✅ | ✅ | | | CycloneDX 1.7 Ingestion (1.6 backward compatible) | ✅ | ✅ | ✅ | | | Auto-format Detection | ✅ | ✅ | ✅ | | | Delta-SBOM Cache | ✅ | ✅ | ✅ | Warm scans <1s | | SBOM Generation (all formats) | ✅ | ✅ | ✅ | | | Semantic SBOM Diff | ✅ | ✅ | ✅ | | | BYOS (Bring-Your-Own-SBOM) | ✅ | ✅ | ✅ | | | **SBOM Lineage Ledger** | — | — | ✅ | Full versioned history | | **SBOM Lineage API** | — | — | ✅ | Traversal queries | --- ## Scanning & Detection | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | CVE Lookup via Local DB | ✅ | ✅ | ✅ | | | Licence-Risk Detection | ⏳ | ⏳ | ⏳ | Q4-2025 | | **Language Analyzers (All 11)** | | | | | | — .NET/C#, Java, Go, Python | ✅ | ✅ | ✅ | | | — Node.js, Ruby, Bun, Deno | ✅ | ✅ | ✅ | | | — PHP, Rust, Native binaries | ✅ | ✅ | ✅ | | | **Progressive Fidelity Modes** | | | | | | — Quick Mode | ✅ | ✅ | ✅ | | | — Standard Mode | ✅ | ✅ | ✅ | | | — Deep Mode | — | ✅ | ✅ | Full analysis | | Base Image Detection | ✅ | ✅ | ✅ | | | Layer-Aware Analysis | ✅ | ✅ | ✅ | | | **Concurrent Scan Workers** | 1 | 3 | Unlimited | | --- ## Reachability Analysis | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Static Call Graph | ✅ | ✅ | ✅ | | | Entrypoint Detection | ✅ | ✅ | ✅ | 9+ framework types | | BFS Reachability | ✅ | ✅ | ✅ | | | Reachability Drift Detection | ✅ | ✅ | ✅ | | | Binary Loader Resolution | — | ✅ | ✅ | ELF/PE/Mach-O | | Feature Flag/Config Gating | — | ✅ | ✅ | Layer 3 analysis | | Runtime Signal Correlation | — | — | ✅ | Zastava integration | | Gate Detection (auth/admin) | — | — | ✅ | Enterprise policies | | Path Witness Generation | — | — | ✅ | Audit evidence | | Reachability Mini-Map API | — | — | ✅ | UI visualization | | Runtime Timeline API | — | — | ✅ | Temporal analysis | --- ## Binary Analysis (BinaryIndex) | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Binary Identity Extraction | ✅ | ✅ | ✅ | Build-ID, hashes | | Build-ID Vulnerability Lookup | ✅ | ✅ | ✅ | | | Debian/Ubuntu Corpus | ✅ | ✅ | ✅ | | | RPM/RHEL Corpus | — | ✅ | ✅ | | | Patch-Aware Backport Detection | — | ✅ | ✅ | | | PE/Mach-O/ELF Parsers | — | ✅ | ✅ | | | **Binary Fingerprint Generation** | — | — | ✅ | Advanced detection | | **Fingerprint Matching Engine** | — | — | ✅ | Similarity search | | **DWARF/Symbol Analysis** | — | — | ✅ | Debug symbols | --- ## Advisory Sources (Concelier) | Source | Free | Community | Enterprise | Notes | |--------|:----:|:---------:|:----------:|-------| | NVD | ✅ | ✅ | ✅ | | | GHSA | ✅ | ✅ | ✅ | | | OSV | ✅ | ✅ | ✅ | | | Alpine SecDB | ✅ | ✅ | ✅ | | | Debian Security Tracker | ✅ | ✅ | ✅ | | | Ubuntu USN | ✅ | ✅ | ✅ | | | RHEL/CentOS OVAL | — | ✅ | ✅ | | | KEV (Exploited Vulns) | ✅ | ✅ | ✅ | | | EPSS v4 | ✅ | ✅ | ✅ | | | **Custom Advisory Connectors** | — | — | ✅ | Private feeds | | **Advisory Merge Engine** | — | — | ✅ | Conflict resolution | --- ## VEX Processing (Excititor) | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | OpenVEX Ingestion | ✅ | ✅ | ✅ | | | CycloneDX VEX Ingestion | ✅ | ✅ | ✅ | | | CSAF VEX Ingestion | — | ✅ | ✅ | | | VEX Consensus Resolver | ✅ | ✅ | ✅ | | | Trust Vector Scoring (P/C/R) | ✅ | ✅ | ✅ | | | Claim Strength Multipliers | ✅ | ✅ | ✅ | | | Freshness Decay | ✅ | ✅ | ✅ | | | Conflict Detection & Penalty | ✅ | ✅ | ✅ | K4 lattice logic | | VEX Conflict Studio UI | ✅ | ✅ | ✅ | Visual resolution | | VEX Hub (Distribution) | ✅ | ✅ | ✅ | Internal VEX network | | **Trust Calibration Service** | — | — | ✅ | Org-specific tuning | --- ## Policy Engine | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | YAML Policy Rules | ✅ | ✅ | ✅ | Basic rules | | Belnap K4 Four-Valued Logic | ✅ | ✅ | ✅ | | | Security Atoms (6 types) | ✅ | ✅ | ✅ | | | Disposition Selection (ECMA-424) | ✅ | ✅ | ✅ | | | Minimum Confidence Gate | ✅ | ✅ | ✅ | | | Unknowns Budget Gate | — | ✅ | ✅ | | | Source Quota Gate | — | — | ✅ | 60% cap enforcement | | Reachability Requirement Gate | — | — | ✅ | For criticals | | **OPA/Rego Integration** | — | — | ✅ | Custom policies | | **Exception Objects & Workflow** | — | — | ✅ | Approval chains | | **Score Policy YAML** | — | — | ✅ | Full customization | | **Configurable Scoring Profiles** | — | — | ✅ | Simple/Advanced | | **Policy Version History** | — | — | ✅ | Audit trail | --- ## Attestation & Signing | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | DSSE Envelope Signing | ✅ | ✅ | ✅ | | | in-toto Statement Structure | ✅ | ✅ | ✅ | | | SBOM Predicate | ✅ | ✅ | ✅ | | | VEX Predicate | ✅ | ✅ | ✅ | | | Reachability Predicate | — | ✅ | ✅ | | | Policy Decision Predicate | — | ✅ | ✅ | | | Verdict Manifest (signed) | — | ✅ | ✅ | | | Verdict Replay Verification | — | ✅ | ✅ | | | **Human Approval Predicate** | — | — | ✅ | Workflow attestation | | **Boundary Predicate** | — | — | ✅ | Network exposure | | **Key Rotation Management** | — | — | ✅ | Enterprise key ops | | **SLSA Provenance v1.0** | — | — | ✅ | Supply chain | | **Rekor Transparency Log** | — | — | ✅ | Public attestation | | **Cosign Integration** | — | — | ✅ | Sigstore ecosystem | --- ## Regional Crypto (Sovereign Profiles) *Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.* | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Default Crypto (Ed25519) | ✅ | ✅ | ✅ | | | FIPS 140-2/3 Mode | ✅ | ✅ | ✅ | US Federal | | eIDAS Signatures | ✅ | ✅ | ✅ | EU Compliance | | GOST/CryptoPro | ✅ | ✅ | ✅ | Russia | | SM National Standard | ✅ | ✅ | ✅ | China | | Post-Quantum (Dilithium) | ✅ | ✅ | ✅ | Future-proof | | Crypto Plugin Architecture | ✅ | ✅ | ✅ | Custom HSM | --- ## Determinism & Reproducibility | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Canonical JSON Serialization | ✅ | ✅ | ✅ | | | Content-Addressed IDs | ✅ | ✅ | ✅ | SHA-256 | | Replay Manifest (SRM) | ✅ | ✅ | ✅ | | | `stella replay` CLI | ✅ | ✅ | ✅ | | | Score Explanation Arrays | ✅ | ✅ | ✅ | | | Evidence Freshness Multipliers | — | ✅ | ✅ | | | Proof Coverage Metrics | — | ✅ | ✅ | | | **Fidelity Metrics (BF/SF/PF)** | — | — | ✅ | Audit dashboards | | **FN-Drift Rate Tracking** | — | — | ✅ | Quality monitoring | | **Determinism Gate CI** | — | — | ✅ | Automated checks | --- ## Scoring & Risk Assessment | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | CVSS v4.0 Display | ✅ | ✅ | ✅ | | | EPSS v4 Probability | ✅ | ✅ | ✅ | | | Priority Band Classification | ✅ | ✅ | ✅ | | | EPSS-at-Scan Immutability | — | ✅ | ✅ | | | Unified Confidence Model | — | ✅ | ✅ | 5-factor | | **Entropy-Based Scoring** | — | — | ✅ | Advanced | | **Gate Multipliers** | — | — | ✅ | Reachability-aware | | **Unknowns Pressure Factor** | — | — | ✅ | Risk budgets | | **Custom Scoring Profiles** | — | — | ✅ | Org-specific | --- ## Evidence & Findings | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Findings List | ✅ | ✅ | ✅ | | | Evidence Graph View | ✅ | ✅ | ✅ | Basic | | Decision Capsules | ✅ | ✅ | ✅ | | | **Findings Ledger (Immutable)** | — | — | ✅ | Audit trail | | **Evidence Locker (Sealed)** | — | — | ✅ | Export/import | | **Evidence TTL Policies** | — | — | ✅ | Retention rules | | **Evidence Size Budgets** | — | — | ✅ | Storage governance | | **Retention Tiers** | — | — | ✅ | Hot/Warm/Cold | | **Privacy Controls** | — | — | ✅ | Redaction | | **Audit Pack Export** | — | — | ✅ | Compliance bundles | --- ## CLI Capabilities | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Scanner Commands | ✅ | ✅ | ✅ | | | SBOM Inspect & Diff | ✅ | ✅ | ✅ | | | Deterministic Replay | ✅ | ✅ | ✅ | | | Attestation Verify | — | ✅ | ✅ | | | Unknowns Budget Check | — | ✅ | ✅ | | | Evidence Export | — | ✅ | ✅ | | | **Audit Pack Operations** | — | — | ✅ | Full workflow | | **Binary Match Inspection** | — | — | ✅ | Advanced | | **Crypto Plugin Commands** | — | — | ✅ | Regional crypto | | **Admin Utilities** | — | — | ✅ | Ops tooling | --- ## Web UI Capabilities | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Dark/Light Mode | ✅ | ✅ | ✅ | | | Findings Row Component | ✅ | ✅ | ✅ | | | Evidence Drawer | ✅ | ✅ | ✅ | | | Proof Tab | ✅ | ✅ | ✅ | | | Confidence Meter | ✅ | ✅ | ✅ | | | Locale Support | — | ✅ | ✅ | Cyrillic, etc. | | Reproduce Verdict Button | — | ✅ | ✅ | | | **Audit Trail UI** | — | — | ✅ | Full history | | **Trust Algebra Panel** | — | — | ✅ | P/C/R visualization | | **Claim Comparison Table** | — | — | ✅ | Conflict view | | **Policy Chips Display** | — | — | ✅ | Gate status | | **Reachability Mini-Map** | — | — | ✅ | Path visualization | | **Runtime Timeline** | — | — | ✅ | Temporal view | | **Operator/Auditor Toggle** | — | — | ✅ | Role separation | | **Knowledge Snapshot UI** | — | — | ✅ | Air-gap prep | | **Keyboard Shortcuts** | — | — | ✅ | Power users | --- ## Quota & Operations | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | **Scans per Day** | **33** | **333** | **2,000+** | Soft limit | | Usage API (`/quota`) | ✅ | ✅ | ✅ | | | Client-JWT (Online) | 12h | 30d | Annual | Token duration | | Rate Limiting | ✅ | ✅ | ✅ | | | 429 Backpressure | ✅ | ✅ | ✅ | | | Retry-After Headers | ✅ | ✅ | ✅ | | | **Priority Queue** | — | — | ✅ | Guaranteed capacity | | **Burst Allowance** | — | — | ✅ | 3× daily for 1hr | | **Custom Quotas** | — | — | ✅ | Per contract | --- ## Offline & Air-Gap | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Offline Update Kits (OUK) | — | Monthly | Weekly | Feed freshness | | Offline Signature Verify | — | ✅ | ✅ | | | One-Command Replay | — | ✅ | ✅ | | | **Sealed Knowledge Snapshots** | — | — | ✅ | Full feed export | | **Air-Gap Bundle Manifest** | — | — | ✅ | Transfer packages | | **No-Egress Enforcement** | — | — | ✅ | Strict isolation | | **Offline JWT (90d)** | — | — | ✅ | Extended tokens | --- ## Deployment | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Docker Compose | ✅ | ✅ | ✅ | Single-node | | Helm Chart (K8s) | — | ✅ | ✅ | | | PostgreSQL 16+ | ✅ | ✅ | ✅ | | | Valkey 8.0+ | ✅ | ✅ | ✅ | | | RustFS (S3) | — | ✅ | ✅ | | | **High-Availability** | — | — | ✅ | Multi-replica | | **Horizontal Scaling** | — | — | ✅ | Auto-scale | | **Dedicated Capacity** | — | — | ✅ | Reserved resources | --- ## Access Control & Identity | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Basic Auth | ✅ | ✅ | ✅ | | | API Keys | ✅ | ✅ | ✅ | | | SSO/SAML Integration | ✅ | ✅ | ✅ | Okta, Azure AD | | OIDC Support | ✅ | ✅ | ✅ | | | Basic RBAC | ✅ | ✅ | ✅ | User/Admin | | **Advanced RBAC** | — | — | ✅ | Team-based scopes | | **Multi-Tenant Management** | — | — | ✅ | Org hierarchy | | **Audit Log Export** | — | — | ✅ | SIEM integration | --- ## Notifications & Integrations | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Email Notifications | — | ✅ | ✅ | | | In-App Notifications | ✅ | ✅ | ✅ | | | EPSS Change Alerts | — | ✅ | ✅ | | | Slack Integration | ✅ | ✅ | ✅ | Basic | | Teams Integration | ✅ | ✅ | ✅ | Basic | | Zastava Registry Hooks | ✅ | ✅ | ✅ | Auto-scan on push | | **Custom Webhooks** | — | — | ✅ | Any endpoint | | **CI/CD Gates** | — | — | ✅ | GitLab/GitHub/Jenkins | | **Enterprise Connectors** | — | — | ✅ | Grid/Premium APIs | --- ## Scheduling & Automation | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Manual Scans | ✅ | ✅ | ✅ | | | **Scheduled Scans** | — | — | ✅ | Cron-based | | **Task Pack Orchestration** | — | — | ✅ | Declarative workflows | | **EPSS Daily Refresh** | — | — | ✅ | Auto-update | | **Event-Driven Scanning** | — | — | ✅ | On registry push | --- ## Observability & Telemetry | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Basic Metrics | ✅ | ✅ | ✅ | | | Opt-In Telemetry | ✅ | ✅ | ✅ | | | **OpenTelemetry Traces** | — | — | ✅ | Full tracing | | **Prometheus Export** | — | — | ✅ | Custom dashboards | | **Quality KPIs Dashboard** | — | — | ✅ | Triage metrics | | **SLA Monitoring** | — | — | ✅ | Uptime tracking | --- ## Support & Services | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | Documentation | ✅ | ✅ | ✅ | | | Community Forums | ✅ | ✅ | ✅ | | | GitHub Issues | ✅ | ✅ | ✅ | | | **Email Support** | — | — | ✅ | Business hours | | **Priority Support** | — | — | ✅ | 4hr response | | **24/7 Critical Support** | — | — | ✅ | Add-on | | **Dedicated CSM** | — | — | ✅ | Named contact | | **Professional Services** | — | — | ✅ | Implementation | | **Training & Certification** | — | — | ✅ | Team enablement | | **SLA Guarantee** | — | — | ✅ | 99.9% uptime | --- ## Version Comparison | Capability | Free | Community | Enterprise | Notes | |------------|:----:|:---------:|:----------:|-------| | RPM (NEVRA) | ✅ | ✅ | ✅ | | | Debian (EVR) | ✅ | ✅ | ✅ | | | Alpine (APK) | ✅ | ✅ | ✅ | | | SemVer | ✅ | ✅ | ✅ | | | PURL Resolution | ✅ | ✅ | ✅ | | --- ## Summary by Tier ### Free Tier (33 scans/day) **Target:** Individual developers, OSS contributors, evaluation - All language analyzers (11 languages) - All regional crypto (FIPS/eIDAS/GOST/SM/PQ) - Full VEX processing + VEX Hub + Conflict Studio - SSO/SAML/OIDC authentication - Zastava registry webhooks - Slack/Teams notifications - Core determinism + replay - Docker Compose deployment - Community support ### Community Tier (333 scans/day) **Target:** Startups, small teams (<25), active open source projects Everything in Free, plus: - 10× scan quota - Deep analysis mode - Binary analysis (backport detection) - Advanced attestation predicates - Helm/K8s deployment - Email notifications + EPSS alerts - Monthly Offline Update Kit access **Registration required, 30-day token renewal** ### Enterprise Tier (2,000+ scans/day) **Target:** Organizations 25+, compliance-driven, multi-team Everything in Community, plus: - **Scale**: HA, horizontal scaling, priority queue, burst allowance - **Multi-Team**: Advanced RBAC (scopes), multi-tenant, org hierarchy - **Advanced Detection**: Binary fingerprints, trust calibration - **Compliance**: SLSA provenance, Rekor transparency, audit pack export - **Air-Gap**: Sealed snapshots, 90-day offline tokens, no-egress mode - **Automation**: CI/CD gates, custom webhooks, scheduled scans - **Observability**: OpenTelemetry, Prometheus, KPI dashboards - **Support**: SLA (99.9%), priority support (4hr), dedicated CSM --- --- > **Legend:** ✅ = Included | — = Not available | ⏳ = Planned --- *Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*